Author Topic: False Positive: Site Blocked - URL:Blacklist  (Read 929 times)

0 Members and 1 Guest are viewing this topic.

Offline bachviet 23

  • Newbie
  • *
  • Posts: 1
False Positive: Site Blocked - URL:Blacklist
« on: June 05, 2023, 09:51:22 AM »
The avast software is saying that our URL https://vneid.gov.vn/favicon.ico is blocked because of URL in Blacklist.

This has caused huge concerns among our customers. Can we understand what happened here and what had triggered the false positive??

Thank you in advance for clarification.

Kind regards

Bachviet

Support ID: 6797230ec213/2023-06-05T03:10:07.469Z
Popup: https://postimg.cc/21FRpDL4
« Last Edit: June 05, 2023, 10:07:43 AM by bachviet 23 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33743
  • malware fighter
Re: False Positive: Site Blocked - URL:Blacklist
« Reply #1 on: June 07, 2023, 03:06:42 PM »
The normal website address is not infested, flagged is that flavico.ico
which may contain malicious PHP-code.
Quote
The requested URL was rejected. Please consult with your administrator.

Your support ID is: 7248055357218949195

Wait for a final verdict from avast team, as such are their definitions.

polonus
« Last Edit: June 07, 2023, 03:22:19 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88128
  • No support PMs thanks
Re: False Positive: Site Blocked - URL:Blacklist
« Reply #2 on: June 07, 2023, 03:47:25 PM »
The normal website address is not infested, flagged is that flavico.ico
which may contain malicious PHP-code.
<snip quote>
polonus

This used to be a very common/old way to infect as the favico.ico is ordinarily run and loaded (to display the site icon) into the browser tab.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.9.6082 (build 23.9.8494.792) UI 1.0.781/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33743
  • malware fighter
Re: False Positive: Site Blocked - URL:Blacklist
« Reply #3 on: June 08, 2023, 10:36:03 AM »
DavidR is right, read here:
https://blog.sucuri.net/2022/09/how-are-favicon-ico-files-used-in-website-malware.html
But Sucuri as such does not flag this.

I scan this there:
Quote
{
    "ip": "-51.83.59.99",
    "ports": [
        22,
        80,
        443,
        500
    ],
    "cpes": [
        "cpe:/a:igor_sysoev:nginx",
        "cpe:/a:openbsd:openssh:7.4"
    ],
    "hostnames": [
        "wXw.sampleresponse.fr"
    ],
    "tags": [
        "vpn"
    ],
    "vulns": [
        "CVE-2017-15906"
    ]
}


Vulnerability involved, see : https://nvd.nist.gov/vuln/detail/CVE-2017-15906

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!